RFC: Signed JAR Packaging Policy
Thomas Fitzsimmons
fitzsim at redhat.com
Mon Mar 12 21:55:34 UTC 2007
Tom 'spot' Callaway wrote:
> On Mon, 2007-03-12 at 15:16 -0600, Richard Megginson wrote:
>> Jesse Keating wrote:
>>> On Monday 12 March 2007 17:02:06 Matthew Miller wrote:
>>>
>>>> On Mon, Mar 12, 2007 at 04:57:45PM -0400, Warren Togami wrote:
>>>>
>>>>> Why this is bad?
>>>>> It still is not fully reproducible in a sense that other people can't
>>>>> take our source, modify it slightly, and make a Sun-blessed JSS JAR.
>>>>>
>>>> I'm really against it. At the very least, it screws over CentOS. This a bad
>>>> path to be going down.
>>>>
>>>> I'd much prefer gcj and the future Fedora-shipped implementation of the Sun
>>>> JVM to make it easy to use self-generated certificates. If someone wants to
>>>> install a proprietary JVM, let's make _that_ the hard case.
>>>>
>>> I agree. How much fun would it be if apache suddenly decided to not function
>>> with self signed certs and any cert you used had to come from verasign ?
>>>
>> A radical way to do this would be for Fedora to acquire a signing cert
>> from Sun, and redistribute the key and cert with the JSS package.
>
> Clarification: Fedora can't acquire a signing cert from Sun. Only Red
> Hat, Inc can.
>
> I doubt Red Hat is willing to get a cert/key, then freely distribute
> them with the packages. I can hear lawyers screaming at the thought.
>
> IMHO, either we ship them unsigned, or we don't ship them.
Agreed, except there's no reason not to ship them. So I say ship them unsigned
for use on gcj now, and then...
> When Sun GPLs the Java bits, we can fix this properly.
Tom
More information about the Fedora-maintainers
mailing list